Updated April 20, 2023
Introduction to PKIX
PKIX stands for Public Key Infrastructure X.509. The X.509 standard defines the structure, format, and fields for digital certificates, it also specifies the procedures for distributing public keys. To extend these standards and make them universal IETF (Internet Engineering Task Force) forms the PKIX working group. PKIX extends the basic philosophy of the X.509 standard and specifies the implementation of digital certificates in the world of the Internet. Additionally, other PKI models have been defined for application use in various domains. For example, ANSI, ASC X9F standards are used by financial organizations.
Services provided by are as follows:
- Registration: It is a process where end-entity registers itself to a CA. Usually, the registration is done via the RA.
- Initialization: This deals with basic problems such as the methodology of verifying that the end entity is talking to the right CA.
- Certification: It is a process where CA creates a digital certificate for end-entity and returns it to the end entity. CA also maintain a copy fo certificate for its records. If required, CA also copied it in public directories.
- Key pair recovery: Keys which are used for encrypting documents may be required to be recovered later for decrypting the same old documents. Key archival and recovery services can be provided by CA or by an independent key recovery system.
- Key generation: PKIX model specifies that the end entity should be able to generate the public key and private key pairs or CA should be able to do this for the end entity.
- Key update: It is a process where the expired key of the digital certificate is automatically renewed and replaced with a new key pair. However, there is a provision for manual digital certificate renewal requests and responses.
- Cross certification: It is a process where end entities that re-certified by different CA, can cross verify each other. It helps in establishing trust models.
- Revocation: PKIX model provides support for checking certificate status in two modes, online using OCSP and offline using CRL.
PKIX Architectural Model
PKIX has developed a document that describes five areas of its architectural model. These areas are as follows:
1. 509 V3 certificate and V2 certificate revocation list profiles
X.509 standard allows the use of various options while describing the extension of digital certificates. PKIX has grouped all options that are deemed fit for internet users. It calls this group of options as the profile of internet users. This profile is described in RFC2459 and specifies which attributes must/may/may not be supported. Appropriate value ranges for the values used in each extension category are also provided. For instance, the X.509 standard does not specify the instruction codes when the certificate is suspended. PKIX defines them.
2. Operational protocols
These define the underlying protocols that provide the transport mechanism for delivering certificates. CRLs and other management and status information to PKI users. Since each of these requirements demands a different way of service, how to use HTTP, LDAP, FTP, X.500, etc. are defined for this purpose.
3. Management Protocols
These protocols enable exchange information between various PKI entities. For example, how to carry registration request revocation status or cross-certification request and response. The management protocol specifies the structure of the message that floats between the entities. They also specify what details are required to process these messages. Examples of management protocols include CMP (Certificate Management Protocol) for requesting a certificate.
4. Policy outlines
PKIX defines the outlines for CP (Certificate Policies) and CPS (Certificate Practice Statements) in RFC2527. These define the policies for the creation of a document such as certificate policies which determine what considerations are important when choosing a type of certificate for a particular application domain.
5. Timestamp and data certification service
Timestamping service is provided by a trusted third party which is called Time Stamp Authority. The main purpose of this service is to sign a message to guarantee that it existed before a specific date and time. This helps deal with non-repudiation claims. DCS (Data certification Service) is a trusted third party s service that verifies the correctness of the data that it receives. this is similar to the notary service in real life, where for instance, it can use it for getting one’s property certified.
PKIX stands for Public Key Infrastructure X.509 standard is a model which deals with the issue related to PKI technology i.e. Public Key Infrastructure. In this article, we have discussed the concept of PKIX with its working, Services, and architecture.
This is a guide to PKIX (Public Key Infrastructure X.509). Here we discuss the PKIX services along with the five areas of its architectural model. You may also have a look at the following articles to learn more –